While conducting vulnerability assessments, an information security analyst is calculating risk scores to prioritize remediation efforts. Which factor should be MOST heavily weighted to make sure the score reflects how urgent the vulnerability is for the organization's unique environment?
The difficulty level associated with exploiting the vulnerability as rated by an external security advisory
The average time it has taken the organization to patch vulnerabilities with similar complexity in the past
The exposure of high-value assets to the vulnerability and the potential business impact
The percentage of industry peers that have already mitigated the vulnerability
Giving the greatest weight to how exposed high-value assets are-and the potential business impact if they are compromised-aligns the risk score with what matters most: protecting critical business operations. If a vulnerability affects a system that stores customer data or supports revenue generation, the organization faces far greater consequences than it would from the same flaw on a low-value asset. The other factors (historical patch times, exploit difficulty, and peer-industry mitigation rates) provide useful context but do not directly measure how damaging a successful exploit would be to the organization's mission-critical assets.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is 'exposure of high-value assets' the MOST critical factor in calculating risk scores?
Open an interactive chat with Bash
What are examples of 'high-value assets' in an organization?
Open an interactive chat with Bash
How does 'potential business impact' influence the urgency of addressing a vulnerability?